Am new to freeradius but have it mainly set up just fine. It's a fantastic tool and I'm enjoying using it :) Just one thing I'm struggling with is the huntgroups. I've followed the wiki to the letter and can see the server checking in the debug log. What I basically want to do is restrict users to certain networks, as per the wiki. If their huntgroup-name matches their huntgroup based on nasip, they can get online, otherwise they're rejected. I've put Huntgroup-Name = NetworkA in my radgroupcheck folder. In my radhuntgroup table, I have the nasip and groupname = NetworkA Then, in the authorize section of my default host, I put: update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" } if (Huntgroup-Name == ''){ reject } All as per the tutorial In my debug log, if there is no match by IP, Huntgroup-Name is blank and the user is rejected. However, if the nasip address match but the name is different, the user is still allowed on. Do I need a more advanced query in the if section and if so,could you please advise what it should be Simon -- View this message in context: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4950385... Sent from the FreeRadius - User mailing list archive at Nabble.com.
simonm123 wrote:
Am new to freeradius but have it mainly set up just fine. It's a fantastic tool and I'm enjoying using it :)
That's good to hear.
Just one thing I'm struggling with is the huntgroups. I've followed the wiki to the letter and can see the server checking in the debug log.
What I basically want to do is restrict users to certain networks, as per the wiki. If their huntgroup-name matches their huntgroup based on nasip, they can get online, otherwise they're rejected.
OK...
I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.
Use "==". It does comparisons.
In my radhuntgroup table, I have the nasip and groupname = NetworkA
Then, in the authorize section of my default host, I put:
update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" }
No, that won't work. The huntgroups are defined by the "huntgroups" file. You can't change them like you're trying to do. Instead, use another attribute. Invent one. See raddb/dictionary. Alan DeKok.
I meant Huntgroup-Name == NetworkA in my radgroupcheck table. I'm not using the huntgroups file - they're all in my db. The wiki suggests using the query below restrict access per network. If that query below is not going to work, it's a little misleading. Or is it just incomplete? On 30 Oct 2011, at 17:03, Alan DeKok wrote:
simonm123 wrote:
Am new to freeradius but have it mainly set up just fine. It's a fantastic tool and I'm enjoying using it :)
That's good to hear.
Just one thing I'm struggling with is the huntgroups. I've followed the wiki to the letter and can see the server checking in the debug log.
What I basically want to do is restrict users to certain networks, as per the wiki. If their huntgroup-name matches their huntgroup based on nasip, they can get online, otherwise they're rejected.
OK...
I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.
Use "==". It does comparisons.
In my radhuntgroup table, I have the nasip and groupname = NetworkA
Then, in the authorize section of my default host, I put:
update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" }
No, that won't work. The huntgroups are defined by the "huntgroups" file. You can't change them like you're trying to do.
Instead, use another attribute. Invent one. See raddb/dictionary.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On further investigation, I can see that the check works just fine if the attribute huntgroup-name == xxxxxxx is added to radcheck For what reason can't we add to radgroupcheck? What's the logic required to modify so we can restrict on a group level? On 30 Oct 2011, at 17:03, Alan DeKok wrote:
simonm123 wrote:
Am new to freeradius but have it mainly set up just fine. It's a fantastic tool and I'm enjoying using it :)
That's good to hear.
Just one thing I'm struggling with is the huntgroups. I've followed the wiki to the letter and can see the server checking in the debug log.
What I basically want to do is restrict users to certain networks, as per the wiki. If their huntgroup-name matches their huntgroup based on nasip, they can get online, otherwise they're rejected.
OK...
I've put Huntgroup-Name = NetworkA in my radgroupcheck folder.
Use "==". It does comparisons.
In my radhuntgroup table, I have the nasip and groupname = NetworkA
Then, in the authorize section of my default host, I put:
update request { Huntgroup-Name := "%{sql:SELECT `groupname` FROM `radhuntgroup` WHERE nasipaddress='%{NAS-IP-Address}'}" }
No, that won't work. The huntgroups are defined by the "huntgroups" file. You can't change them like you're trying to do.
Instead, use another attribute. Invent one. See raddb/dictionary.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can anyone tell me if hungroup checking can be made to work on the group level, not just the user level? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155... Sent from the FreeRadius - User mailing list archive at Nabble.com.
You may need to inspect whether the groupcheck query in mysql/dailup.conf (if you are using MySQL) looks in the huntgroup table. For example, this is the default query in my copy of freeRADIUS provided by Debian: authorize_group_check_query = "SELECT id, groupname, attribute, \ Value, op \ FROM ${groupcheck_table} \ WHERE groupname = '%{Sql-Group}' \ ORDER BY id" Try modifying it as such: authorize_group_check_query = "SELECT id, groupname, attribute, \ value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' \ OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id" On Wed, Nov 2, 2011 at 9:07 AM, simonm123 <simon.morley@me.com> wrote:
Can anyone tell me if hungroup checking can be made to work on the group level, not just the user level?
Thanks
-- View this message in context: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ben West westbywest@gmail.com
I'm having the very same issue, and can't understand why. If the Huntgroup-Name value is in radcheck the limitation is done correctly, but it is not when the Huntgroup-Name is in radgroupcheck, while the example here [1] is exactly with radgroupcheck. The proposed change doesn't work, also because it's not relevant. As per the example in the url: example user is in group site_a_admins (radusergroup) site_a is in radhuntgroup have in radgroupcheck: site_a_admins Huntgroup-Name == site_a access is allowed anywhere. If you move the check in radcheck, like: example user Huntgroup-Name == site_a then the check is performed correctly. The proposed modification to the group check query just adds huntgroup's properties to the request. thanks [1] http://wiki.freeradius.org/guide/SQL_Huntgroup_HOWTO ----- Messaggio originale -----
Da: "Ben West" <westbywest@gmail.com> A: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Inviato: Mercoledì, 2 novembre 2011 15:22:25 Oggetto: Huntgroup Checking
You may need to inspect whether the groupcheck query in mysql/dailup.conf (if you are using MySQL) looks in the huntgroup table.
For example, this is the default query in my copy of freeRADIUS provided by Debian:
authorize_group_check_query = "SELECT id, groupname, attribute, \ Value, op \ FROM ${groupcheck_table} \ WHERE groupname = '%{Sql-Group}' \ ORDER BY id"
Try modifying it as such:
authorize_group_check_query = "SELECT id, groupname, attribute, \ value, op \ FROM ${groupcheck_table} \ WHERE ( groupname = '%{Sql-Group}' \ OR groupname = '%{Huntgroup-Name}' ) \ ORDER BY id"
On Wed, Nov 2, 2011 at 9:07 AM, simonm123 <simon.morley@me.com> wrote:
Can anyone tell me if hungroup checking can be made to work on the group level, not just the user level?
Thanks
-- View this message in context: http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ben West westbywest@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Lorenzo Milesi - lorenzo.milesi@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/
participants (5)
-
Alan DeKok -
Ben West -
Lorenzo Milesi -
Simon Morley -
simonm123